[nsp] blocking Msn messenger on PIX
Muhammad Talha
talha at worldcall.net.pk
Wed Jul 14 03:24:15 EDT 2004
> Kristofer Sigurdsson wrote:
>
> >Mark Tinka, Tue, Jul 13, 2004 at 04:07:03PM +0200 :
> >
> >
> >>On Tuesday 13 July 2004 15:36, Paul Stewart wrote:
> >>
> >>
> >>>Unfortunately doesn't work unless you block port 80 as well and you
> >>>probably don't want to do that... MSN messenger will default to TCP/80
> >>>when it can't reach 1863. What I ended up doing at a few sites that
had
> >>>their own internal DNS was creating entries for messenger.msn.com
(double
> >>>check that - it may have changed) to point to 127.0.0.1 therefore it
> >>>couldn't login at all.... Worked like a dream....
> >>>
> >>>
> >>But this would work best if the site doesn't want 'everyone' using MSN.
What
> >>about if only 10% of all staff are authorised to use it?
> >>
> >>The other issue is a smart user will simply use another name server some
where
> >>on the global Internet, or at the ISP, for resolution, especially if
they are
> >>sharp enough to ping 'messenger.msn.com' and see the resolved IP =
> >>127.0.0.1 :).
> >>
> >>
> >
> >How about simply blocking messenger.hotmail.com (207.46.104.20) for those
who are
> >not authorised to use MSN?
> >
> >
> If you have TACACS server, an authentication proxy can be implemented
> using PIX firewall. The feature is called per user ACL using av-pair of
> radius. Search CCO and you will find many references to it.
One more thing if u give manually proxy in browser . Blank your Dns
setting ( no dns is configured )
browser use dns of proxy. msn will still work using any proxy. so make
fake entry in dns wont work.
i will try to look at authentication proxy feature .
Thanks & Regards
Talha
More information about the cisco-nsp
mailing list